NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0394 SSL-Encrypted Gmail Not Safe:
The CEO of Errata Security, who last year found that it's possible to capture someone's
session cookie via wireless eavesdropping, now says that even encrypted services such as
Google's Gmail can sometimes provide him with a session cookie. This is a departure from
his advice last August when he said SSL HTTPS sessions of Gmail should be immune. His
company created two tools (Ferret and Hamster), which together help him grab session
cookies out of thin air, at a local hot spot. Session cookies allow you to shop an
e-commerce site, then leave the page and return later without re-entering your password.
One doesn't have to decode the user's password to exploit the session cookie, merely
possess it. He gave a live demonstration of his 'sidejack' attack on an audience member's
Gmail account at last year's Black Hat USA, displaying that person's inbox before a
standing-room-only crowd. Now he says that Gmail, in particular, will sometimes connect
to a hot spot first via Javascript rather than SSL, and this allows his tool to grab the
session cookie and thus read someone else's email. The same could be true with Amazon.com
and other Web 2.0 sites.
(CNETNews.com 31JAN08)